I deploy ELK via helm charts in kubernetes environment as pods. Earlier, I always generated certs with default OID (from the example script) and things worked fine.
Now, my certificates cannot have an OID field and so, i intend to use the property searchguard.nodes_dn to list the DNs of the nodes.

But I still get this error in elasticsearch logs and cluster doesnt come up -

“logger”:“c.f.s.t.SearchGuardRequestHandler”,“timezone”:“UTC”,“log”:“ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another witha non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someone> is spoofing requests. Check your TLS certificate setup as described here: See http://docs.search-guard.com/latest/troubleshooting-tls]”}

When i add this parameter to elasticsearch.yml file directly, with the same key value pair, it works fine and cluster formation happens as expected.

Could you help me understand why this particular parameter refuses to get accepted when added as an env? Or if there is a particular way of setting this parameter?

List of environment variables set in the pod - env-list.txt (3.0 KB)
( I have not installed kibana yet)

The file elasticsearch.yml is fixed in my case. The file is packaged in the docker image. As you can see, most of the parameters(keys) in elasticsearch.yml read their values from environment variables. So, depending on what environment variables are changed for the pod at run-time, the elasticsearch.yml properties would get configured accordingly and get used for the ES process.
Acc to docker-entrypoint.sh, other envs in the pod that have at least two dot separated lowercase words, they get passed to the ES process too.

Environment variables are set for the container (pod) in the helm chart template. For ex.

I have been successful in configuring other searchguard parameters like searchguard.ssl.http.enabled_ciphers too as env to pods and it gets reflected properly.

shivani.aggarwal2195:

The whole output of the running process

But I don’t see other searchguard options among the process options, only searchguard.nodes_dn. This -E option, I can’t find it in the docs, could you please give me a link for the docs where this option is described?

I had not configured any more searchguard properties other than nodes_dn in the output i had shared.
But just to show that I have been successful in configuring other properties like searchguard.ssl.http.enabled_ciphers:

Today I run some SearchGuard dockers and found that it is definitely possible to have = sign in the Elasticsearch argument value. For example, look at the option -Esearchguard.ssl.transport.keystore_filepath in this running process:

@srgbnd, Thanks for the analysis.
But, I have ensured & re-checked that searchguard.nodes_dn parameter is set in each node of the cluster.

srgbnd:

It seems the searchguard.nodes_dn value is wrong somewhere.

I have tried configuring it in following 3 ways, but I get the same error: -Esearchguard.nodes_dn="CN=elasticsearch.shiv1,C=ELK" -Esearchguard.nodes_dn=CN=elasticsearch.shiv1,C=ELK -Esearchguard.nodes_dn=CN=elasticsearch.shiv1, C=ELK

Did you always have C=ELK? It looks wrong. The values must be of size 2 and a valid ISO 3166 Country Code.

Look, I try to create a certificate with the country name of size > 2 and have the validation error

$ openssl req -new -sha256 -key clientB-key.pem -out clientB-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:ELK
string is too long, it needs to be less than 2 bytes long

Yes, i always have C=ELK.
I am generating certificates using the example scripts in https://docs.search-guard.com/latest/tls-certificates-sample-scripts (in the folder example-pki-scripts).
Here, the script gen_node_cert.sh defines the certificate DN as DN=“CN=$NODE_NAME.logging,C=ELK”.
I have just modified this script & removed the oid part from certificate’s SAN -

But I can’t find a way to provide the searchguard.nodes_dn value correctly if it is an environment variable. The option expects a value of type array. Arrays can be provided to Elasticsearch as a string concatenated with a comma “,”. For Elasticsearch CN=elasticsearch.shiv1,C=ELK means ["CN=elasticsearch.shiv1", "C=ELK"]. I tried to escape the comma value: "CN=elasticsearch.shiv1\,C=ELK" but it didn’t work.

Now, my certificates cannot have an OID field and so

Why can’t you use OID? if you want to keep certificate auth values as an environment variable this will work for you.